Senate heads toward vote on CISA cyberthreat info sharing bill

The U.S. Senate could take a preliminary vote as soon as Wednesday on a controversial bill intended to encourage businesses to share cyberthreat information with each other and with government agencies, despite concerns that the legislation would allow the widespread sharing of personal customer data.

Senate leaders are attempting to iron out compromise language to address privacy concerns in the Cybersecurity Information Sharing Act (CISA), but if no compromise is reached Senate Majority Leader Mitch McConnell will schedule a so-called cloture vote on Wednesday morning, said a spokesman for McConnell, a Kentucky Republican.

A cloture vote would limit debate on the bill and move the Senate toward final passage, potentially before the Senate leaves for a four-week summer recess this weekend.

CISA would protect from customer lawsuits businesses that share cyberthreat information, but privacy groups have opposed the bill, saying it would allow businesses to share customers' personal information with the National Security Agency and other intelligence agencies.

CISA would be a "trigger" for the NSA to target U.S. residents for surveillance, Jonathan Mayer, a security researcher and lawyer at Stanford University, said last week.

CISA could "contribute to the compromise of personally identifiable information by spreading it further", by mandating that DHS, the agency that would receive most of the shared cyberthreat information, share that information in real time without scrubbing out personal data, the agency said in its letter.

Privacy groups criticized the move toward a vote in the Senate after a recent campaign against the bill resulted in more than 6 million faxes sent to Congress.

Digital rights group Access is "deeply disappointed that Leader McConnell has chosen to ignore the will of the people and push ahead with consideration of this deeply flawed cybersurveillance bill before the August recess," Amie Stepanovich, U.S. policy manager for the group, said by email. "Any senator who values privacy and security must reject this attempt to sacrifice both at the altar of increased surveillance and corporate liability protections."

Supporters of CISA say the legislation is needed to stimulate a cyberthreat information sharing culture among U.S. businesses. Many businesses are reluctant to share information because of potential customer lawsuits, said former U.S. Representative Mike Rogers, sponsor of the controversial Cyber Intelligence Sharing and Protection Act (CISPA), a similar bill that failed to become law after President Barack Obama threatened to veto it.

CISA is the "one piece of legislation" that could help fix the U.S. cybersecurity weaknesses, Rogers said during a cybersecurity event Monday. "If we can share malicious source code in real time -- machine to machine, zeroes and ones in light speed -- we might be able to put a dent in this."

The concerns from DHS over CISA means "our own government is going to work against itself over the details over how we come up with a cybersharing regime," Rogers added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.